The term "injection" refers to code injection, with code referring to any computer language. Since every computer language is different, the problems and solutions are also different and need to be addressed in a per-language basis. However, you have a generic function that tries to prevent all kind of injections at once and, often, using the worst technique: removing user data.
For instance:
$headers = "From: " . strip_tags($from) . "\r\n";
What sense does it make to take an e-mail address and remove HTML tags from it to compose an e-mail header?
$data = htmlspecialchars($data);
You apply this to e.g. $_REQUEST['email']
. Why would you want to insert HTML entities in an e-mail address?
In your code I see two potential sources for injection:
HTML - When you inject user data into HTML you need to ensure that user data is handled as plain text (i.e. whatever the user typed is not rendered as HTML). You can use
htmlspecialchars()
. You kind of do that but it's really hard to be sure.E-mail headers -
mail()
's fourth argument allows to define mail headers. Injecting raw user input there (which is possibly what's happening now) allows to hide the complete message body, replace it with anything else and even select new recipients. You basically have to strip new lines (again, it's hard to say whether you're doing it right...).
Sending e-mail with PHP is hard. It's better to skip good old mail()
and use a third-party library like PHPMailer or Swift Mailer.